From df0e34b69d35dc78727531447435dae77eb3d2be Mon Sep 17 00:00:00 2001 From: Raman Zatsarenko Date: Thu, 9 Nov 2023 20:53:13 -0500 Subject: [PATCH 01/13] initial commit --- cves/kernel/CVE-2013-4513.yml | 2 +- cves/kernel/CVE-2017-10911.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cves/kernel/CVE-2013-4513.yml b/cves/kernel/CVE-2013-4513.yml index fd5e12b03..851e33a87 100644 --- a/cves/kernel/CVE-2013-4513.yml +++ b/cves/kernel/CVE-2013-4513.yml @@ -19,7 +19,7 @@ curated_instructions: | This will enable additional editorial checks on this file to make sure you fill everything out properly. If you are a student, we cannot accept your work as finished unless curated is properly updated. -curation_level: 0 +curation_level: 2 reported_instructions: | What date was the vulnerability reported to the security team? Look at the security bulletins and bug reports. It is not necessarily the same day that diff --git a/cves/kernel/CVE-2017-10911.yml b/cves/kernel/CVE-2017-10911.yml index 481704f0e..d6346539f 100644 --- a/cves/kernel/CVE-2017-10911.yml +++ b/cves/kernel/CVE-2017-10911.yml @@ -19,7 +19,7 @@ curated_instructions: | This will enable additional editorial checks on this file to make sure you fill everything out properly. If you are a student, we cannot accept your work as finished unless curated is properly updated. -curation_level: 0 +curation_level: 2 reported_instructions: | What date was the vulnerability reported to the security team? Look at the security bulletins and bug reports. It is not necessarily the same day that From 5eda2b8a9ad6552d35c7e7ecba327f7bf64b8014 Mon Sep 17 00:00:00 2001 From: Raman Zatsarenko Date: Sat, 11 Nov 2023 16:50:51 -0500 Subject: [PATCH 02/13] still need to research when & how discovered --- cves/kernel/CVE-2013-4513.yml | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/cves/kernel/CVE-2013-4513.yml b/cves/kernel/CVE-2013-4513.yml index 851e33a87..5d2a30f15 100644 --- a/cves/kernel/CVE-2013-4513.yml +++ b/cves/kernel/CVE-2013-4513.yml @@ -26,7 +26,7 @@ reported_instructions: | the CVE was created. Leave blank if no date is given. Please enter your date in YYYY-MM-DD format. -reported_date: +reported_date: announced_instructions: | Was there a date that this vulnerability was announced to the world? You can find this in changelogs, blogs, bug reports, or perhaps the CVE date. @@ -55,7 +55,12 @@ description_instructions: | Your target audience is people just like you before you took any course in security -description: +description: OZWpan is a technology related to Personal Area Networking, specifically wireless networking. It's designed for +short-range communication, typically used in devices like wireless keyboards, mice, and other peripherals that operate in close +proximity to a central device like a computer. The specific file involved in this vulnerability contains code for creating and managing character devices +for the OZWpan driver. In Linux, a character device is a type of device file that allows for the input and output of data one +character at a time. The write operation in the wireless device driver file potentially causes a buffer overflow, which can lead to DoS +or possibly have unspecified other impact via a crafted write operation. bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here @@ -89,9 +94,7 @@ fixes: - commit: note: - commit: c2c65cd2e14ada6de44cb527e7f1990bede24e15 - note: | - Taken from NVD references list with Git commit. If you are - curating, please fact-check that this commit fixes the vulnerability and replace this comment with 'Manually confirmed' + note: Manually confirmed. vcc_instructions: | The vulnerability-contributing commits. @@ -106,7 +109,7 @@ vcc_instructions: | Place any notes you would like to make in the notes field. vccs: - commit: 23af8c2a088fe5ae142103fb32fa03755cda694c - note: Discovered automatically by archeogit. + note: Discovered automatically by archeogit. Verified by a human. upvotes_instructions: | For the first round, ignore this upvotes number. @@ -219,8 +222,11 @@ subsystem: e.g. name: ["subsystemA", "subsystemB"] # ok name: subsystemA # also ok - name: - note: + name: drivers + note: specifically affects the staging folder in the drivers subsystem. The staging directory is used for drivers that are not yet + fully matured or stable enough to be included in the main kernel tree. These drivers are still under development and testing. + The staging area serves as a place where developers can collaborate to improve these drivers until they are + ready for inclusion in the main part of the kernel. interesting_commits: question: | Are there any interesting commits between your VCC(s) and fix(es)? @@ -466,9 +472,7 @@ CWE_instructions: | CWE: 123 # also ok CWE: - 119 -CWE_note: | - CWE as registered in the NVD. If you are curating, check that this - is correct and replace this comment with "Manually confirmed". +CWE_note: Manually confirmed nickname_instructions: | A catchy name for this vulnerability that would draw attention it. If the report mentions a nickname, use that. From fa7d644eeb75c55f2ead5120703c9c47c35294b1 Mon Sep 17 00:00:00 2001 From: Raman Zatsarenko Date: Sat, 11 Nov 2023 17:19:47 -0500 Subject: [PATCH 03/13] indentation fix --- cves/kernel/CVE-2013-4513.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/cves/kernel/CVE-2013-4513.yml b/cves/kernel/CVE-2013-4513.yml index 5d2a30f15..8c6276745 100644 --- a/cves/kernel/CVE-2013-4513.yml +++ b/cves/kernel/CVE-2013-4513.yml @@ -56,11 +56,11 @@ description_instructions: | Your target audience is people just like you before you took any course in security description: OZWpan is a technology related to Personal Area Networking, specifically wireless networking. It's designed for -short-range communication, typically used in devices like wireless keyboards, mice, and other peripherals that operate in close -proximity to a central device like a computer. The specific file involved in this vulnerability contains code for creating and managing character devices -for the OZWpan driver. In Linux, a character device is a type of device file that allows for the input and output of data one -character at a time. The write operation in the wireless device driver file potentially causes a buffer overflow, which can lead to DoS -or possibly have unspecified other impact via a crafted write operation. + short-range communication, typically used in devices like wireless keyboards, mice, and other peripherals that operate in close + proximity to a central device like a computer. The specific file involved in this vulnerability contains code for creating and managing character devices + for the OZWpan driver. In Linux, a character device is a type of device file that allows for the input and output of data one + character at a time. The write operation in the wireless device driver file potentially causes a buffer overflow, which can lead to DoS + or possibly have unspecified other impact via a crafted write operation. bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here @@ -224,9 +224,9 @@ subsystem: name: subsystemA # also ok name: drivers note: specifically affects the staging folder in the drivers subsystem. The staging directory is used for drivers that are not yet - fully matured or stable enough to be included in the main kernel tree. These drivers are still under development and testing. - The staging area serves as a place where developers can collaborate to improve these drivers until they are - ready for inclusion in the main part of the kernel. + fully matured or stable enough to be included in the main kernel tree. These drivers are still under development and testing. + The staging area serves as a place where developers can collaborate to improve these drivers until they are + ready for inclusion in the main part of the kernel. interesting_commits: question: | Are there any interesting commits between your VCC(s) and fix(es)? From 4e868b0299714e65d429664969c6fe2bcd5ce50c Mon Sep 17 00:00:00 2001 From: Raman Zatsarenko Date: Sat, 11 Nov 2023 17:48:45 -0500 Subject: [PATCH 04/13] added mistakes --- cves/kernel/CVE-2013-4513.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/cves/kernel/CVE-2013-4513.yml b/cves/kernel/CVE-2013-4513.yml index 8c6276745..a67106a22 100644 --- a/cves/kernel/CVE-2013-4513.yml +++ b/cves/kernel/CVE-2013-4513.yml @@ -454,7 +454,11 @@ mistakes: Write a thoughtful entry here that people in the software engineering industry would find interesting. - answer: + answer: Since this vulenrability was implemented in the staging directory of the drivers, + it is very possible that the authors of the file that contained the vulnerability simply overlooked + this buffer overflow. A such, this mistake can be classified as a slip. Probably the developers of the + commit didn't pay enough attention, and with the language of implementation being C such mistakes are + very common. CWE_instructions: | Please go to http://cwe.mitre.org and find the most specific, appropriate CWE entry that describes your vulnerability. We recommend going to From 53fb25315ac017802d0c9f77650d446b74ad4554 Mon Sep 17 00:00:00 2001 From: Raman Zatsarenko Date: Mon, 13 Nov 2023 16:40:24 -0500 Subject: [PATCH 05/13] some work on 2013-4513 --- cves/kernel/CVE-2013-4513.yml | 60 +++++++++++++++++++---------------- 1 file changed, 32 insertions(+), 28 deletions(-) diff --git a/cves/kernel/CVE-2013-4513.yml b/cves/kernel/CVE-2013-4513.yml index a67106a22..01f879daf 100644 --- a/cves/kernel/CVE-2013-4513.yml +++ b/cves/kernel/CVE-2013-4513.yml @@ -26,7 +26,7 @@ reported_instructions: | the CVE was created. Leave blank if no date is given. Please enter your date in YYYY-MM-DD format. -reported_date: +reported_date: '2013-10-29' announced_instructions: | Was there a date that this vulnerability was announced to the world? You can find this in changelogs, blogs, bug reports, or perhaps the CVE date. @@ -132,10 +132,10 @@ unit_tested: For the fix_answer below, check if the fix for the vulnerability involves adding or improving an automated test to ensure this doesn't happen again. - code: - code_answer: - fix: - fix_answer: + code: false + code_answer: linux kernel doesn't contain any traditional unit tests in the repo or ci/cd pipelines. Developers are responsible for testing their code themselves. + fix: false + fix_answer: Same as code. discovered: question: | How was this vulnerability discovered? @@ -150,10 +150,12 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. - answer: - automated: - contest: - developer: + answer: The vulnerability was discovered by two developers, Nico Golde and Fabian Yamaguchi around 2013-10-29. It + is hard to determine the precise date because the date when the vulnerability was discovered is not actually mentioned anywhere in the + kernel mailing list archives, commit messages, or on bugzilla. + automated: false + contest: false + developer: true autodiscoverable: instructions: | Is it plausible that a fully automated tool could have discovered @@ -170,8 +172,9 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: A unit test can detect buffer oveflows. The problem is that the kernel tree is so big it is impossible to develop unit tests for everything. + Kernel developers rely solely on their own testing skills and abilities. + answer: true specification: instructions: | Is there mention of a violation of a specification? For example, the POSIX @@ -187,8 +190,8 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: I have not found any mention of specification violation. + answer: false subsystem: question: | What subsystems was the mistake in? These are WITHIN linux kernel @@ -257,8 +260,8 @@ i18n: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: This is a buffer overflow error in a wireless devic driver. It does not affect internationalization (unless you consider the whole system going down an internationalization issue). sandbox: question: | Did this vulnerability violate a sandboxing feature that the system @@ -272,8 +275,9 @@ sandbox: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: true + note: I read in the mailing list archives that one consequence of a buffer overflow in this vulnerability is that a program which writes to a + device through this driver could potentially elevate its privileges. ipc: question: | Did the feature that this vulnerability affected use inter-process @@ -284,8 +288,8 @@ ipc: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: true + note: Since this is a driver that writes to file, IPC is affected directly. discussion: question: | Was there any discussion surrounding this? @@ -326,8 +330,8 @@ vouch: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: true + note: The fix's commit message says signed-off-by Linus Torvalds stacktrace: question: | Are there any stacktraces in the bug reports? @@ -341,9 +345,9 @@ stacktrace: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - any_stacktraces: - stacktrace_with_fix: - note: + any_stacktraces: false + stacktrace_with_fix: + note: Did not find any stack traces in commit messages or mailing archives forgotten_check: question: | Does the fix for the vulnerability involve adding a forgotten check? @@ -362,8 +366,8 @@ forgotten_check: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: true + note: quote from the fix commit -- We need to check "count" so we don't overflow the ei->data buffer. order_of_operations: question: | Does the fix for the vulnerability involve correcting an order of @@ -375,8 +379,8 @@ order_of_operations: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: Order of operations was not the issue lessons: question: | Are there any common lessons we have learned from class that apply to this From 4c1e4e736c4065ff46779a6ed78b96b7e8293344 Mon Sep 17 00:00:00 2001 From: Raman Zatsarenko Date: Mon, 13 Nov 2023 16:44:16 -0500 Subject: [PATCH 06/13] disagreement --- cves/kernel/CVE-2013-4513.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cves/kernel/CVE-2013-4513.yml b/cves/kernel/CVE-2013-4513.yml index 01f879daf..f6b1ea951 100644 --- a/cves/kernel/CVE-2013-4513.yml +++ b/cves/kernel/CVE-2013-4513.yml @@ -315,9 +315,9 @@ discussion: Put any links to disagreements you found in the notes section, or any other comment you want to make. - discussed_as_security: - any_discussion: - note: + discussed_as_security: false + any_discussion: false + note: Did not find any discussion except for - bug found - fixing it - merged fix vouch: question: | Was there any part of the fix that involved one person vouching for From 4d55e905ac46b6ebb2424f961f9a197b9c62d0c9 Mon Sep 17 00:00:00 2001 From: Raman Zatsarenko Date: Mon, 13 Nov 2023 16:56:54 -0500 Subject: [PATCH 07/13] more edits --- cves/kernel/CVE-2013-4513.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/cves/kernel/CVE-2013-4513.yml b/cves/kernel/CVE-2013-4513.yml index f6b1ea951..bedc0d9a0 100644 --- a/cves/kernel/CVE-2013-4513.yml +++ b/cves/kernel/CVE-2013-4513.yml @@ -409,8 +409,9 @@ lessons: applies: note: distrust_input: - applies: - note: + applies: true + note: A carefully crafted program can exploit this vulnerability to provide malicious input that will cause buffer + overflow for the driver, potentially causing denial of service on the entire system. security_by_obscurity: applies: note: From ded0ff50ea15c59a74e31c223335b995236e3cf2 Mon Sep 17 00:00:00 2001 From: Raman Zatsarenko Date: Mon, 13 Nov 2023 17:04:58 -0500 Subject: [PATCH 08/13] 2013-4513 --- cves/kernel/CVE-2013-4513.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/cves/kernel/CVE-2013-4513.yml b/cves/kernel/CVE-2013-4513.yml index bedc0d9a0..4fb2d3e11 100644 --- a/cves/kernel/CVE-2013-4513.yml +++ b/cves/kernel/CVE-2013-4513.yml @@ -397,13 +397,13 @@ lessons: If you think of another lesson we covered in class that applies here, feel free to give it a small name and add one in the same format as these. defense_in_depth: - applies: + applies: false note: least_privilege: - applies: + applies: false note: frameworks_are_optional: - applies: + applies: false note: native_wrappers: applies: @@ -428,8 +428,9 @@ lessons: applies: note: complex_inputs: - applies: - note: + applies: true + note: The vulnerability involved input that has to be specifically crafted to cause buffer overflow. Buffer overflow would + not happen in normal conditions. mistakes: question: | In your opinion, after all of this research, what mistakes were made that From 2cf6ed76646d86f805f4daf8a25699e9401ce22c Mon Sep 17 00:00:00 2001 From: Raman Zatsarenko Date: Tue, 14 Nov 2023 14:38:44 -0500 Subject: [PATCH 09/13] 2017-10911 --- cves/kernel/CVE-2017-10911.yml | 146 ++++++++++++++++----------------- 1 file changed, 73 insertions(+), 73 deletions(-) diff --git a/cves/kernel/CVE-2017-10911.yml b/cves/kernel/CVE-2017-10911.yml index d6346539f..2f74c103d 100644 --- a/cves/kernel/CVE-2017-10911.yml +++ b/cves/kernel/CVE-2017-10911.yml @@ -26,7 +26,7 @@ reported_instructions: | the CVE was created. Leave blank if no date is given. Please enter your date in YYYY-MM-DD format. -reported_date: +reported_date: '2017-06-13' announced_instructions: | Was there a date that this vulnerability was announced to the world? You can find this in changelogs, blogs, bug reports, or perhaps the CVE date. @@ -34,11 +34,11 @@ announced_instructions: | This is not the same as published date in the NVD - that is below. Please enter your date in YYYY-MM-DD format. -announced_date: '2017-07-05' +announced_date: '2017-07-04' published_instructions: | Is there a published fix or patch date for this vulnerability? Please enter your date in YYYY-MM-DD format. -published_date: '2017-07-05' +published_date: '2017-07-04' description_instructions: | You can get an initial description from the CVE entry on cve.mitre.org. These descriptions are a fine start, but they can be kind of jargony. @@ -55,7 +55,10 @@ description_instructions: | Your target audience is people just like you before you took any course in security -description: +description: The gist of the vulenrability is that the data structs in a certain + driver implementation of the Xen virtualization environment were not padded right and, therefore, + could leak data if exploited by a malicious party. As a result, the malicious party could obtain priviliged + data stored in memory of the program which belongs to the host or other guest users. bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here @@ -75,7 +78,7 @@ bugs_instructions: | * Mentioned in mailing list discussions * References from NVD entry * Various other places -bugs: [] +bugs: [1458870] fixes_instructions: | Please put the commit hash in "commit" below. @@ -84,14 +87,9 @@ fixes_instructions: | Place any notes you would like to make in the notes field. fixes: -- commit: - note: -- commit: - note: - commit: '089bc0143f489bd3a4578bdff5f4ca68fb26f341' note: | - Taken from NVD references list with Git commit. If you are - curating, please fact-check that this commit fixes the vulnerability and replace this comment with 'Manually confirmed' + Manually confirmed vcc_instructions: | The vulnerability-contributing commits. @@ -107,14 +105,6 @@ vcc_instructions: | vccs: - commit: 4d05a28db56225bbab5e1321d818f318e92a4657 note: Discovered automatically by archeogit. -- commit: 8812293323a79134e06c3bf82eba1e217d23382e - note: Discovered automatically by archeogit. -- commit: 597957000ab5b1b38085c20868f3f7b9c305bae5 - note: Discovered automatically by archeogit. -- commit: 452a6b2bb6de677acdd2ccb8b39cf6e8fe06f306 - note: Discovered automatically by archeogit. -- commit: 97e36834f5a106459ab1b290e663a4eb6264639e - note: Discovered automatically by archeogit. upvotes_instructions: | For the first round, ignore this upvotes number. @@ -137,10 +127,10 @@ unit_tested: For the fix_answer below, check if the fix for the vulnerability involves adding or improving an automated test to ensure this doesn't happen again. - code: - code_answer: - fix: - fix_answer: + code: false + code_answer: Did not find any mention of unit tests in the vcc messages + fix: false + fix_answer: Did not find any mention of unit tests in the fix commit message discovered: question: | How was this vulnerability discovered? @@ -155,10 +145,13 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. - answer: - automated: - contest: - developer: + answer: Not a lot of information provided, but it seems like the vulenrability was + discovered by the developers of the Suse (Enterprise Linux provider) software corporation. + It appeats that this vulenrability was then reported to the Xen development team, based on + the website xenbits.xen.org and its logs. + automated: false + contest: false + developer: true autodiscoverable: instructions: | Is it plausible that a fully automated tool could have discovered @@ -175,8 +168,8 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: Probably could be discovered by a fuzzer, since the vulnerability exploits a memory leak. + answer: true specification: instructions: | Is there mention of a violation of a specification? For example, the POSIX @@ -192,8 +185,8 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: No mention of any specification or its violation anywhere. + answer: false subsystem: question: | What subsystems was the mistake in? These are WITHIN linux kernel @@ -227,8 +220,8 @@ subsystem: e.g. name: ["subsystemA", "subsystemB"] # ok name: subsystemA # also ok - name: - note: + name: driver + note: The block device (e.g. a hard drive) driver for Xen virtualization software interesting_commits: question: | Are there any interesting commits between your VCC(s) and fix(es)? @@ -243,10 +236,14 @@ interesting_commits: * Other commits that fixed a similar issue as this vulnerability * Anything else you find interesting. commits: - - commit: - note: - - commit: - note: + - commit: 8812293323a79134e06c3bf82eba1e217d23382e + note: This commit was partially responsible for the vulnerability. + - commit: 597957000ab5b1b38085c20868f3f7b9c305bae5 + note: This commit was partially responsible for the vulnerability. + - commit: 452a6b2bb6de677acdd2ccb8b39cf6e8fe06f306 + note: This commit was partially responsible for the vulnerability. + - commit: 97e36834f5a106459ab1b290e663a4eb6264639e + note: This commit was partially responsible for the vulnerability. i18n: question: | Was the feature impacted by this vulnerability about internationalization @@ -259,8 +256,8 @@ i18n: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: Internationalization has nothing to do with this vulenrability. sandbox: question: | Did this vulnerability violate a sandboxing feature that the system @@ -274,8 +271,8 @@ sandbox: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: true + note: The vulnerability can expose stack data of the host or other guest users. ipc: question: | Did the feature that this vulnerability affected use inter-process @@ -286,8 +283,8 @@ ipc: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: The vulenrability does not involve IPC. discussion: question: | Was there any discussion surrounding this? @@ -313,9 +310,9 @@ discussion: Put any links to disagreements you found in the notes section, or any other comment you want to make. - discussed_as_security: - any_discussion: - note: + discussed_as_security: false + any_discussion: false + note: Did not find any significant discussion vouch: question: | Was there any part of the fix that involved one person vouching for @@ -328,8 +325,8 @@ vouch: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: true + note: Other developers signed off on the commit. stacktrace: question: | Are there any stacktraces in the bug reports? @@ -343,9 +340,9 @@ stacktrace: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - any_stacktraces: - stacktrace_with_fix: - note: + any_stacktraces: false + stacktrace_with_fix: false + note: No mention of any stacktraces. forgotten_check: question: | Does the fix for the vulnerability involve adding a forgotten check? @@ -364,8 +361,9 @@ forgotten_check: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: The vulenrability involves incorrect memory allocation and data leakage from the stack as a + result of this. Not a forgotten check. order_of_operations: question: | Does the fix for the vulnerability involve correcting an order of @@ -377,8 +375,9 @@ order_of_operations: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: The vulenrability involves incorrect memory allocation and data leakage from the stack as a + result of this. Not order of operations issue. lessons: question: | Are there any common lessons we have learned from class that apply to this @@ -395,38 +394,39 @@ lessons: If you think of another lesson we covered in class that applies here, feel free to give it a small name and add one in the same format as these. defense_in_depth: - applies: + applies: false note: least_privilege: - applies: - note: + applies: true + note: The vulenrability exposes data of other users of the system, which violates the least privilege principle. frameworks_are_optional: - applies: + applies: false note: native_wrappers: - applies: + applies: false note: distrust_input: - applies: + applies: false note: security_by_obscurity: - applies: + applies: false note: serial_killer: - applies: + applies: false note: environment_variables: - applies: + applies: false note: secure_by_default: - applies: - note: + applies: true + note: A more carefully designed struct would prevent this vulenrability. I.e. a struct that was designed + to be secure to memory leaks by default. yagni: - applies: + applies: false note: complex_inputs: - applies: - note: + applies: true + note: A complex input can result in memory leakage based on this vulenrability. mistakes: question: | In your opinion, after all of this research, what mistakes were made that @@ -456,7 +456,8 @@ mistakes: Write a thoughtful entry here that people in the software engineering industry would find interesting. - answer: + answer: I believe this was a planning error because the initial struct was not + properly designed and caused memory leaks which were discovered later. CWE_instructions: | Please go to http://cwe.mitre.org and find the most specific, appropriate CWE entry that describes your vulnerability. We recommend going to @@ -475,11 +476,10 @@ CWE_instructions: | CWE: - 200 CWE_note: | - CWE as registered in the NVD. If you are curating, check that this - is correct and replace this comment with "Manually confirmed". + Manually confirmed nickname_instructions: | A catchy name for this vulnerability that would draw attention it. If the report mentions a nickname, use that. Must be under 30 characters. Optional. nickname: -CVSS: +CVSS: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N From a04348fb0440316dbdfce92955eb5f6075faaed3 Mon Sep 17 00:00:00 2001 From: Raman Zatsarenko Date: Tue, 14 Nov 2023 15:17:59 -0500 Subject: [PATCH 10/13] 2013-4513 --- cves/kernel/CVE-2013-4513.yml | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/cves/kernel/CVE-2013-4513.yml b/cves/kernel/CVE-2013-4513.yml index 4fb2d3e11..c65fea547 100644 --- a/cves/kernel/CVE-2013-4513.yml +++ b/cves/kernel/CVE-2013-4513.yml @@ -80,7 +80,7 @@ bugs_instructions: | * Mentioned in mailing list discussions * References from NVD entry * Various other places -bugs: [] +bugs: [492532] fixes_instructions: | Please put the commit hash in "commit" below. @@ -89,10 +89,6 @@ fixes_instructions: | Place any notes you would like to make in the notes field. fixes: -- commit: - note: -- commit: - note: - commit: c2c65cd2e14ada6de44cb527e7f1990bede24e15 note: Manually confirmed. vcc_instructions: | @@ -135,7 +131,7 @@ unit_tested: code: false code_answer: linux kernel doesn't contain any traditional unit tests in the repo or ci/cd pipelines. Developers are responsible for testing their code themselves. fix: false - fix_answer: Same as code. + fix_answer: Didn't fine any unit tests or mentions of unit tests. discovered: question: | How was this vulnerability discovered? @@ -244,10 +240,9 @@ interesting_commits: * Other commits that fixed a similar issue as this vulnerability * Anything else you find interesting. commits: - - commit: - note: - - commit: - note: + - commit: None + note: The vulnerability was caused by a simple abscence of bounds check to prevent overflow. I did not find + any interesting comits relating to that. i18n: question: | Was the feature impacted by this vulnerability about internationalization From fdbb5c43bfebe82b2df28cbf3227d817865bb713 Mon Sep 17 00:00:00 2001 From: Raman Zatsarenko Date: Tue, 14 Nov 2023 15:21:37 -0500 Subject: [PATCH 11/13] 2013-4513 --- cves/kernel/CVE-2013-4513.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/kernel/CVE-2013-4513.yml b/cves/kernel/CVE-2013-4513.yml index c65fea547..fc5d9d734 100644 --- a/cves/kernel/CVE-2013-4513.yml +++ b/cves/kernel/CVE-2013-4513.yml @@ -341,7 +341,7 @@ stacktrace: Write a note about how you came to the conclusions you did, regardless of what your answer was. any_stacktraces: false - stacktrace_with_fix: + stacktrace_with_fix: false note: Did not find any stack traces in commit messages or mailing archives forgotten_check: question: | From 6c672cb0274c3b372a996e673ee0ef8b57dd57b1 Mon Sep 17 00:00:00 2001 From: Raman Zatsarenko Date: Tue, 14 Nov 2023 15:24:16 -0500 Subject: [PATCH 12/13] 2013-4513 --- cves/kernel/CVE-2013-4513.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/kernel/CVE-2013-4513.yml b/cves/kernel/CVE-2013-4513.yml index fc5d9d734..5591e115c 100644 --- a/cves/kernel/CVE-2013-4513.yml +++ b/cves/kernel/CVE-2013-4513.yml @@ -240,7 +240,7 @@ interesting_commits: * Other commits that fixed a similar issue as this vulnerability * Anything else you find interesting. commits: - - commit: None + - commit: note: The vulnerability was caused by a simple abscence of bounds check to prevent overflow. I did not find any interesting comits relating to that. i18n: From 177a575c5f5e2b6a938642c5e7c87398f9d85c24 Mon Sep 17 00:00:00 2001 From: Raman Zatsarenko Date: Sun, 19 Nov 2023 10:55:47 -0500 Subject: [PATCH 13/13] feedback & upvotes --- cves/kernel/CVE-2013-4513.yml | 15 +++++++++------ cves/kernel/CVE-2017-10911.yml | 26 +++++++++++++------------- 2 files changed, 22 insertions(+), 19 deletions(-) diff --git a/cves/kernel/CVE-2013-4513.yml b/cves/kernel/CVE-2013-4513.yml index 5591e115c..c2ed5371b 100644 --- a/cves/kernel/CVE-2013-4513.yml +++ b/cves/kernel/CVE-2013-4513.yml @@ -113,7 +113,7 @@ upvotes_instructions: | upvotes to each vulnerability you see. Your peers will tell you how interesting they think this vulnerability is, and you'll add that to the upvotes score on your branch. -upvotes: +upvotes: 3 unit_tested: question: | Were automated unit tests involved in this vulnerability? @@ -168,8 +168,8 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: A unit test can detect buffer oveflows. The problem is that the kernel tree is so big it is impossible to develop unit tests for everything. - Kernel developers rely solely on their own testing skills and abilities. + note: A unit test can detect buffer oveflows. However, the testing is not done in the kernel repo itself. Most of the time, + each contributor to the kernel repo is responsible for testing their code themselves. answer: true specification: instructions: | @@ -242,7 +242,7 @@ interesting_commits: commits: - commit: note: The vulnerability was caused by a simple abscence of bounds check to prevent overflow. I did not find - any interesting comits relating to that. + any interesting commits relating to that. i18n: question: | Was the feature impacted by this vulnerability about internationalization @@ -362,7 +362,9 @@ forgotten_check: Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: true - note: quote from the fix commit -- We need to check "count" so we don't overflow the ei->data buffer. + note: quote from the fix commit -- We need to check "count" so we don't overflow the ei->data buffer. It is hard to tell + what exactly count refers to, since there aren't many comments in the code. I believe count may be referring to the + number of characters that the wireless device is writing through the driver. order_of_operations: question: | Does the fix for the vulnerability involve correcting an order of @@ -375,7 +377,8 @@ order_of_operations: Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: false - note: Order of operations was not the issue + note: Order of operations was not the issue. The fix invloved a forgotten check, and the order of the + things that were checked didn't matter. lessons: question: | Are there any common lessons we have learned from class that apply to this diff --git a/cves/kernel/CVE-2017-10911.yml b/cves/kernel/CVE-2017-10911.yml index 2f74c103d..271cbade9 100644 --- a/cves/kernel/CVE-2017-10911.yml +++ b/cves/kernel/CVE-2017-10911.yml @@ -55,7 +55,7 @@ description_instructions: | Your target audience is people just like you before you took any course in security -description: The gist of the vulenrability is that the data structs in a certain +description: The gist of the vulnerability is that the data structs in a certain driver implementation of the Xen virtualization environment were not padded right and, therefore, could leak data if exploited by a malicious party. As a result, the malicious party could obtain priviliged data stored in memory of the program which belongs to the host or other guest users. @@ -112,7 +112,7 @@ upvotes_instructions: | upvotes to each vulnerability you see. Your peers will tell you how interesting they think this vulnerability is, and you'll add that to the upvotes score on your branch. -upvotes: +upvotes: 4 unit_tested: question: | Were automated unit tests involved in this vulnerability? @@ -139,15 +139,15 @@ discovered: originally found. Answer in longform below in "answer", fill in the date in YYYY-MM-DD, and then determine if the vulnerability was found by a Google employee (you can tell from their email address). If it's clear that the - vulenrability was discovered by a contest, fill in the name there. + vulnerability was discovered by a contest, fill in the name there. The automated, contest, and developer flags can be true, false, or nil. If there is no evidence as to how this vulnerability was found, then please explain where you looked. - answer: Not a lot of information provided, but it seems like the vulenrability was + answer: Not a lot of information provided, but it seems like the vulnerability was discovered by the developers of the Suse (Enterprise Linux provider) software corporation. - It appeats that this vulenrability was then reported to the Xen development team, based on + It appeats that this vulnerability was then reported to the Xen development team, based on the website xenbits.xen.org and its logs. automated: false contest: false @@ -257,7 +257,7 @@ i18n: Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: false - note: Internationalization has nothing to do with this vulenrability. + note: Internationalization has nothing to do with this vulnerability. sandbox: question: | Did this vulnerability violate a sandboxing feature that the system @@ -284,7 +284,7 @@ ipc: Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: false - note: The vulenrability does not involve IPC. + note: The vulnerability does not involve IPC. It is a data leak from the memory of a single process. discussion: question: | Was there any discussion surrounding this? @@ -312,7 +312,7 @@ discussion: comment you want to make. discussed_as_security: false any_discussion: false - note: Did not find any significant discussion + note: Did not find any significant discussion. vouch: question: | Was there any part of the fix that involved one person vouching for @@ -362,7 +362,7 @@ forgotten_check: Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: false - note: The vulenrability involves incorrect memory allocation and data leakage from the stack as a + note: The vulnerability involves incorrect memory allocation and data leakage from the stack as a result of this. Not a forgotten check. order_of_operations: question: | @@ -376,7 +376,7 @@ order_of_operations: Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: false - note: The vulenrability involves incorrect memory allocation and data leakage from the stack as a + note: The vulnerability involves incorrect memory allocation and data leakage from the stack as a result of this. Not order of operations issue. lessons: question: | @@ -398,7 +398,7 @@ lessons: note: least_privilege: applies: true - note: The vulenrability exposes data of other users of the system, which violates the least privilege principle. + note: The vulnerability exposes data of other users of the system, which violates the least privilege principle. frameworks_are_optional: applies: false note: @@ -419,14 +419,14 @@ lessons: note: secure_by_default: applies: true - note: A more carefully designed struct would prevent this vulenrability. I.e. a struct that was designed + note: A more carefully designed struct would prevent this vulnerability. I.e. a struct that was designed to be secure to memory leaks by default. yagni: applies: false note: complex_inputs: applies: true - note: A complex input can result in memory leakage based on this vulenrability. + note: A complex input can result in memory leakage based on this vulnerability. mistakes: question: | In your opinion, after all of this research, what mistakes were made that